Zbot Desperately Seeking AIM Users

The Zbot keylogger campaign-of-the-month targets users of AOL Instant Messenger (AIM) with a message that claims to be an update notification for users of the instant messaging client application. Users unfortunate enough to click through the link in the email message to download what they think is something called “aimupdate_7.1.6.475.exe” will be in for a rude awakening.

The malicious page delivers its payload whether or not a victim clicks the link to get executable file: It opens an iframe to a site that attempts to use vulnerable versions of Adobe Reader to push the Zbot keylogger down to the victim’s computer, then execute it, within a few moments of the page loading.

The address of the iframed page resides in a particularly sketchy corner of the net. The network the IP address is part of, known as AS50369, goes by the name VISHCLUB-as Kanyovskiy Andriy Yuriyovich. Sure sounds a lot like someone’s name for their phishing gang. The same network has been in use for the past week delivering payloads on well-worn Outlook Web Access and HMRC Zbot download pages.

Seriously, though: Vishclub? Is that the best the Russian hackers can come up with? It sounds like what you’d call a fisherman’s smoking lounge on the Baltic coast, where thick clouds of cheap tobacco is the only thing that can overpower the putrid stench of rotting seafood.

The fake page has the outward appearance of a page hosted by AOL, but it clearly isn’t the real deal. Once you take a closer look, the site and its social engineering tricks begin to smell a bit like day-old fishwrap, as well.

To begin with, AOL doesn’t release update “patch” applications for AIM. When they have a new release, you download the whole application’s installer. The current version sizes up at about 7MB; The Trojan is only around 130KB. In addition, the true AIM installer carries a digital signature from AOL LLC, the parent company. This one has no such signature.

The link to the download uses a URL that begins with “update.aol.com” but is followed by the malicious domain name, which is a six- to seven-random-character word followed by .com.pl (which indicates the domain was registered as a business in Poland, but isn’t necessarily hosted there). There are dozens of URLs in use that lead to identical looking pages, and each one points to at least 15 IP addresses at different Web hosting firms.

Like many of the previous Zbot campaigns (such as those targeting theIRS, CDC, Visa, and otherorganizations, as well as software programs like Microsoft Outlook, or Web sites such as Facebook), the URL contains the email address to which the original message was sent; That email address appears near the top of the browser window. That’s social engineering trick number one, and you can easily see that it’s possible to manipulate this data simply by putting a different email address in the URL string.

Regular users of AOL Instant Messenger might know that the current, real version (as I write this) is 7.1.6.4, but the version number in this bogus message is 7.1.6.475.

AOL has released an update for AOL Instant Messenger (AIM) which fixes several major bugs. This update is critical and provides you with the latest version of the AIM and offers the highest levels of stability and security.

By clicking the download button below you agree to the terms of the AIM Software End User Agreement, Privacy Policy, and Terms of Service.

Once downloaded, this “aimupdate” file carries a generic program icon, and is only around 125KB to 135KB in size (the size varies because Zbot Trojans are padded with variable amounts of random junk data so they’re harder to identify).

The exploits the page employs are pretty complex. It opens, in an iframe, a page hosted on the IP address in the “Vishclub” network, which in turn loads a fairly large (15628 byte) blob of obfuscated javascript.

The script invokes the browser to load Adobe Reader, then pushes a file called “pdf.pdf” down to the Reader. That file is built to attack the Collab overflow exploit (CVE-2007-5659), the util.printf overflow exploit (CVE-2008-2992), and the getIcon exploit (CVE-2009-0927) in order to force the operating system to download and execute files.

As we’ve recommended before, unless you have an absolute and explicit need to use it, turn off Adobe Reader’s embedded Javascript. (Click Edit -> Preferences, then select JavaScript in the left pane, and deselect “Enable Acrobat JavaScript”.)

And, when in doubt about a software update, go to the software maker’s Web site yourself; Don’t follow fishy, phishy update links you receive via email, or elsewhere.